E-Mails, DNS via DA - AlmaLinux10

[Cordarex]

Hello everyone,
Is it really due to a broken email ecosystem, or am I doing something wrong? I have a dedicated VPS with Hetzner and have been trying to get the mail system working for quite some time now.

Surely it must be possible to send emails? For some reason, I'm already on spam lists, although they're not the heavyweight ones. I'm wondering whether it makes sense to run DA at all if I still need a relay and have to build up a reputation over a long period of time before I can send a few emails.

I tried running a master & slave with BIND for the NS records. Unfortunately, my domain registrar didn't accept that, so now I'm using Hetzner's DNS. I've tried everything, switched to a central mail.domain.xx so that all mailboxes run on a uniform structure.

I really wonder how anyone can manage >100 pages with all this crap(i dont mean DA!)?

Now here's my question for you – am I doing something wrong and should I have DA set it up for me directly via the installation service, or is it just the way it is and the DNS stuff doesn't necessarily have to work easily via DA? Emails? Oh well, I can send one to a Gmail account in six months' time.

Best regards & thanks!

 

[Richard G]

Well... unfortunately we do not maintain a crystal ball so we have no clue on to what is going on, it's guesswork.
To begin with, did Hetzner open port 25 for you? As for new customers on vps systems they have port 25 closed.

Probably it was open at some time, because the ip is on some blacklists.

Did you do something wrong? Maybe, no way telling without additional information and lack of crystal ball.

Did you change the default DA hostname, did you keep yourself to the RFC requirements for mailing, a correct FQDN hostname is used, MX records are correct, the PTR record(s) is/are correct?
All things which can make outgoing mail go bad.

Normally with DA one can email just as well as with any other panel. If things don't work than in 90% it's a closed port 25 and 10% config issue.

 

[DrWizzle]

Hetzner block ports 25 and 465 by default if you are a new customer. You need to have paid your first months bill and open a support ticket for them to open the ports on the server. I've been with them a good while now and don't get many issues, but even when I order a new bare metal server, I occasionally get fraud checked and have to request the ports be opened.

FAQ - Hetzner Docs

docs.hetzner.com

They are really reasonable if you have a proper use case for it so drop them a ticket.

To be totally sure it's a port issue, you can check with netcat and you will get a succeeded message if you can get out on that port

root@v1 ~ # nc -zv smtp.gmail.com 587
Connection to smtp.gmail.com (2a00:1450:400c:c1b::6d) 587 port [tcp/submission] succeeded!
root@v1 ~ # nc -zv smtp.gmail.com 465
Connection to smtp.gmail.com (2a00:1450:400c:c1b::6d) 465 port [tcp/submissions] succeeded!
root@v1 ~ # nc -zv smtp.gmail.com 25
Connection to smtp.gmail.com (2a00:1450:400c:c1b::6d) 25 port [tcp/smtp] succeeded!
root@v1 ~ #

You can always use port 587 with SMTP and START TLS in the meantime if you're able to relay the mail

 

[Cordarex]

You two have really saved me a lot of time. Thank you very much!

It was port 25 exactly!

Now that I've probably manipulated a lot, I'm tempted to just reinstall DA completely.

I set IPv4 and IPv6 reverse IP and they were accepted. I also implemented all other aspects.

The DNS setting in DA is currently of no use to me, as I run the NS entries from my domain registrar via Hetzner. This means that I would have to create every new domain in Hetzner as well and manually enter all DNS records. I would very much appreciate a note in the help section, but unfortunately I can't find anything on this subject.

DA / Admin:
panel.domain.com
User1:
domain.com

Global NS:
ns1.panel.domain.com
ns2.panel.domain.com

Mail:
Mail.domain.com -> Identical for every user, uniform MX record leads from domain2.com of user2 to mail.domain.com

Or am I missing something here?

Unfortunately, my registrar for domain.com does not accept the ns1 and ns2 records.

 

[DrWizzle]

Can't see any issues if you're using Hetzner for their DNS. If you wanted to take advantage of DA for the DNS, it's really good. You'd need to create some glue records for your domain to effectively point to itself. Each NS would have your servers IPs glued to them and DA would create the DNS records for it. I run my own nameservers (have three separate DA servers solely for that purpose)

mail.domain.com is pretty standard for MX records. Again, you'd have to create them with Hetzner, along with an A record for your server hostname. I'd recommend you do that before you install DA as the TLS cert for the control panel will create itself instantly.

1 advantage of using the DNS with DA is free wildcard SSL certificates with Letsencrypt. If your DNS is handled elsewhere you're limited to set certs with domain name and subdomains as you create them.

I would also recommend setting the env variables DA_NS1, DA_NS2, DA_HOSTNAME and DA_EMAIL before you run the install script. If you don't, you run the risk DA creating it's own login, and panel login and you'd have to go and change the hostname in DA manually. Also if you run install script without the licence key, you can take advantage of the web installer which is new and spicy.

There's always good help and advice in here if you get stuck.

 

[Richard G]

The DNS setting in DA is currently of no use to me,

It's of no use, but best is to keep as is or set it to your own domain name locally, because DA uses this DNS locally to find it's domains.

However I would suggest to set a correct FQDN hostname (click) to begin with if you want to mail from this system too.
A correct hostname is for example server.domain.com and then you can also create ns1.domain.com and ns2.domain.com for your admin domain to keep things easy and eventually easy to adjust for later.

As for MX records, yes mail, pop and smtp are done by default.
By default every domain has it's own mx record. do domain.com has mail.domain.com and example.org has mail.example.org which is normal.

If you do not run your own nameservers but external ones (like Hetzner or any other external DNS), then indeed you have to copy the records you want to use from DA to that external DNS which an can also be another registrars DNS, unless you want to register all your domains with Hetzner.
Be aware that also goes for SPF and DKIM and for example DMARC records if you want to use those too and the same for ipv6 records.

 

[jordivn]

I can recomend using the DNS (Got one primary + 2 secondary with directslave).
Glue records for my primair server domain, and ns at my ips pointing to da.

works like a charm

 

[Richard G]

It's always better to use own nameservers, but not everybody has the money to pay for a vps and run DS on it. Although for example with some vps providers it's maybe 5-7 euro/month extra and that is including an ipv4 and ipv6 address.

 

[jordivn]

hmm... i see possibilities... i think i can offer an sec en third dns for €1/each a month.

 

[Richard G]

i think i can offer

You can always try, if you get ssl connections to work with DS.

 

[Hetzner DirectAdmin]

After sour experiences with VULTr and blacknight I found MXroute which lead me to Hetzner and the DirectAdmin Personal Plus package.

There is little DA initial setup info on youtube, and the DirectAdmin guides seem to be a bit advanced for someone who just wants to get away from GMail. I am going to try to compile a setup guide and post in on this forum, I think this @Cordarex thread is a great starting point, specially thanks to @Richard G as well as @DrWizzle

I have three domains all which point to Hetzner NS Name Servers:

fiefdom.com - Purchased exclusively for using DirectAdmin Personal Plus, a FastSSL DV was also bought (cn: fiefdom.com and www.fiefdom.com)
knights.com - Used only for emails by myself
squires.com - Used only for emails by myself

Citing the @Cordarex post for continuity sake, I am hoping to achieve the following:-

DA / Admin:-
cp.fiefdom.com (I prefer www for the FastSSL DV use)

User1:
fiefdom.com (default)
knights.com
squires.com

Global NS:-
hydrogen.ns.hetzner.com
oxygen.ns.hetzner.com

Mail:-
mail.fiefdom.com -> Identical for every user, uniform MX record leads from knights.com and squires.com to mail.fiefdom.com

This makes setting up IMAP easier for the three accounts on all devices, and it looks more professional imo.

@DrWizzle mentioned

If you wanted to take advantage of DA for the DNS, it's really good. You'd need to create some glue records for your domain to effectively point to itself. Each NS would have your servers IPs glued to them and DA would create the DNS records for it.

May I ask, @DrWizzle in your opinion, what glue records am I missing here?

intoDNS tells me in Glue for NS records that "INFO: GLUE was not sent ... You can fix this for example by adding A records to your nameservers for the zones listed above."

30 OCT 2025 How I installed DirectAdmin on hetzner.com

I chose Debian 13 instance

sudo hostnamectl set-hostname fiefdom.com
sudo nano /etc/hosts

sudo apt update
sudo apt full-upgrade

sh <(curl -fsSL https://download.directadmin.com/setup.sh)

I have had a lot of errors/crashing in the past, with updates etc. so for email stability purposes, I would prefer that Hetzner manage my DNS zones.

Which option is correct in this case?

Using option three, in the DA panel (www.fiefdom.com) I get a couple errors off the bat when I try to setup fiefdom.com in the User Domain Setup.

What am I doing wrong that these are the first errors that I get from a fresh install?

Thanks everyone

 

[Hetzner DirectAdmin]

By the way,

I have done about 15 installs using Debian 13 and it is not installing the build correctly.

Now trying CenOS 10 Stream to see if the initial install works.

 

[DrWizzle]

Global NS:-
hydrogen.ns.hetzner.com
oxygen.ns.hetzner.com

Mail:-
mail.fiefdom.com -> Identical for every user, uniform MX record leads from knights.com and squires.com to mail.fiefdom.com

This makes setting up IMAP easier for the three accounts on all devices, and it looks more professional imo.

@DrWizzle mentioned



View attachment 9405

May I ask, @DrWizzle in your opinion, what glue records am I missing here?

intoDNS tells me in Glue for NS records that "INFO: GLUE was not sent ... You can fix this for example by adding A records to your nameservers for the zones listed above."

Hi @Hetzner DirectAdmin , Apologies, I missed this post for some reason.

Glue records are set at your domain registrar (Whoever you buy domain from). They are used when you buy a domain.com and want to use nameservers ns1.domain.com and ns2.domain.com

As you are using Hetzner's DNS (Above) and their nameservers, you don't need any glue records. If, however, you decided further down the line you wanted to use the DNS function of DirectAdmin and run your own vanity nameservers to match your domain (like I do) you'd have to set glue records at your registrar which basically tell the root nameservers the IP of your custom DNS so that it resolves, or your domain would never resolve. I wrote about this in a post a while ago, and if you need any help with glue etc, give me a shout.

For now though, as you are using Hetzner DNS, things look good.

PS. * DON'T FORGET (VERY IMPORTANT) * When you create your domains on your server, as you're using Hetzner (An external to DA DNS) DirectAdmin assumes you are using it's own DNS and creates all the records for you. You MUST copy across the TXT records for your DKIM, dmarc and SPF to Hetzner if you haven't already. Without these, mail will fail spectacularly over time.

 

[Hetzner DirectAdmin]

If, however, you decided further down the line you wanted to use the DNS function of DirectAdmin and run your own vanity nameservers to match your domain (like I do)

Yes, I have read about your three NS servers on other posts, I would like to get to that level eventually.

I bought two of the domains in Canada(.ca), two in Ireland (.ie) and one in Chile (.cl) and one in Morocco (.ma)

So I am stuck with each countries regristrar, but I have everyone pointing to hydrogen.ns.hetzner now.

For now though, as you are using Hetzner DNS, things look good.

As I did not and can not buy any domains from Hetzer, would I still be able to glue? Just off curiosity.

PS. * DON'T FORGET (VERY IMPORTANT) *

hehe, I am on that like white on rice since day one. I just copy over the DA DNS to Hetzner Console

However on that note, I have one question.

Is it okay that all my domains use the mx 10 mail.fiefdom.com. ?

Happy Halloween !!!!!!!!!!

 

[DrWizzle]

Yes, I have read about your three NS servers on other posts, I would like to get to that level eventually.

I bought two of the domains in Canada(.ca), two in Ireland (.ie) and one in Chile (.cl) and one in Morocco (.ma)

So I am stuck with each countries regristrar, but I have everyone pointing to hydrogen.ns.hetzner now.



As I did not and can not buy any domains from Hetzer, would I still be able to glue? Just off curiosity.

Yes, example, you buy domain.com from namecheap: You'd go into the DNS /Nameserver section of the control panel, enter one.domain.com and two.domain.com as the nameservers, and in the box next to them the IP address of each nameserver, example 10.10.10.10 , 10.10.10.11

You need a minimum of 2 nameservers, max of around 7 I believe, some registrars will let you have nameservers with same IP address (example, your server IP) and some require individual. All depends on the registrar

If you "Glue" nameservers, you'll need to use your own DNS with your DA server. Very simple, and with multi server support, its a few clicks and done.

hehe, I am on that like white on rice since day one. I just copy over the DA DNS to Hetzner Console

However on that note, I have one question.

Is it okay that all my domains use the mx 10 mail.fiefdom.com. ?

Happy Halloween !!!!!!!!!!

Yes that's absolutely fine, as long as all the mail accounts are on the server that the IP "mail.fiefdom.com" points to.

And a happy hallowe'en to your good self too

[Quick Edit]

Just thought i'd note also, Whilst i've no problems with you sharing IP addresses, domains and mail addresses here, please consider this is a public forum, crawled by bots at times and sometimes with nefarious intentions. Consider your server / site's security by obfuscating things like hostnames, email addresses and usernames.

All the best!

 

[DrWizzle]

Just thought i'd comment here as well to help you for future installs/reference

30 OCT 2025 How I installed DirectAdmin on hetzner.com

I chose Debian 13 instance

sudo hostnamectl set-hostname fiefdom.com
sudo nano /etc/hosts

View attachment 9406

Error in the file above, one line should read something like:

127.0.1.1 hostname.fiefdom.com hostname

(where your servers hostname replaces "hostname")

Also you should have a file called /etc/hostname and the contents should simply be:

hostname

(hostname without domain)

sudo apt update
sudo apt full-upgrade

sh <(curl -fsSL https://download.directadmin.com/setup.sh)

View attachment 9407

Option 1:
looks fine, except I wouldn't use 'cp' as the hostname. You can create an A record later directing users to your control panel with cp

Option 2:
cp issue again
"Glued" vanity Nameservers. As they don't exist, your domains would never resolve.

Option 3:
www as server hostname conflicts with Apache (httpd) hence the errors below.

All options:
Consider not using "admin" as username, reduces attack area for brute force.

I have had a lot of errors/crashing in the past, with updates etc. so for email stability purposes, I would prefer that Hetzner manage my DNS zones.

Which option is correct in this case?

Using option three, in the DA panel (www.fiefdom.com) I get a couple errors off the bat when I try to setup fiefdom.com in the User Domain Setup.

View attachment 9408

View attachment 9409

View attachment 9410

View attachment 9411

What am I doing wrong that these are the first errors that I get from a fresh install?

Thanks everyone

 

[sysdev]

To use glue records, you don't 'need' your own nameservers. All you need are the nameservers that your domain actually resides on, which can simply be the nameservers of your registrar if they provide dns services.

 

[DrWizzle]

To use glue records, you don't 'need' your own nameservers. All you need are the nameservers that your domain actually resides on, which can simply be the nameservers of your registrar if they provide dns services.

You're right. From experience, some providers will do it free of charge, others charge fees which i've found can be quite expensive.

There are some good DirectAdmin (Other providers are available) out there that will allow you to use their DNS servers, and are setup for this. I've only ever used DA providers with reseller accounts years ago to do it this way.

But.. If you have your own VPS, there's no reason why you can't use the DNS provided by DA on it and do it yourself, even with a single IP

 

[sysdev]

You're right. From experience, some providers will do it free of charge, others charge fees which i've found can be quite expensive.

There are some good DirectAdmin (Other providers are available) out there that will allow you to use their DNS servers, and are setup for this. I've only ever used DA providers with reseller accounts years ago to do it this way.

But.. If you have your own VPS, there's no reason why you can't use the DNS provided by DA on it and do it yourself, even with a single IP

A few da dns webhooks to your domain provider's api and everyone can sniff his glue

I am a provider and fully understand why hosters would charge for dns services. We like to be in control of our infra so we do have multiple nameservers scattered over europe. But this is definitively a service WE pay for and not the customers.